Olympic Destroyer was involved in a new wave of cyber attacks

Olympic Destroyer, the malicious code that was used in attacks against Winter Games in Pyeongchang, was involved in a new wave of cyber attacks.

The same malware used in recent Olympic Winter Games in Pyeongchang, tracked as Olympic Destroyer, has been used in a new wave of attacks against organizations in Germany, France, the Netherlands, Russia, Switzerland, and Ukraine.

Shortly before the opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

While the source of the attacks is uncertain, the Cisco Talos blog post is clear in identifying motivation, “Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.”

Threat actors behind Olympic Destroyer planted false flags and artifacts inside the wiper to make hard the attribution. Security experts that investigated the case believe the attack was powered by a nation-state actor likely linked to North Korea, Russia or China.

Back to the present, experts from Kaspersky Lab uncovered new cyber attacks involving Olympic Destroyer in May and June.

The threat actors targeted financial companies in Russia and European organizations involved in protection against chemical and biological threats.

“In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again. However, this time the attacker has new targets.” reads the analysis published by Kaspersky.

“According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.”

The attackers spread the malware via spear-phishing messages using weaponized documents, many of which referenced bio-chemical threat research.

The experts observed that the some of the emails were written in perfect Russian, likely a Russian speaker was involved in the campaigns.

The campaigns involved PowerShell scripts and Powershell Empire, the latter is an open-source framework that allows fileless control of the compromised machine, it has also a modular architecture and relies on encrypted communication.

The threat actors leveraged compromised legitimate web servers as command and control infrastructure, many servers were running vulnerable versions of the Joomla content management system.

According to the experts, the fact that hackers hit financial organizations suggests that Olympic Destroyer is currently used by several threat actors, both nation-state actors and cybercrime gangs.

Another scenario sees a foreign government that may have hired a crime gang to power the attack, or that the financial-focused attacks could be a false flag planted to make hard the attribution.

“It’s possible that in this case we have observed a reconnaissance stage that will be followed by a wave of destructive attacks with new motives. That is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits,” concluded Kaspersky Labs.

“he variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.”

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.